MiniDuke pierces Adobe sandbox, uses Twitter to get instructions.

Enlarge / One of the Twitter feeds MiniDuke-infected machines use to locate a command-and-control server.

Kaspersky Lab

Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

"When we started looking at the backdoors themselves, we said, 'Now this is very interesting' because it's certainly professionally done and it takes us back to a golden age of the incredibly complex viruses and coding techniques that were used when 29A was around," Kaspersky Lab expert Kurt Baumgartner told Ars. "29A was the elite of the elite when it came to virus writing. Everybody hoped that their stuff never got out, because they were writing metamorphic, viral engines. They advanced viral code that they maintained in their magazine."

Three’s company

MiniDuke is a three-stage attack that drops its first payload after tricking a victim into opening an authentic-looking PDF document referring to highly relevant topics including human rights, Ukraine's foreign policy, and NATO membership plans. Infected machines then use Twitter or Google to retrieve encrypted instructions showing them where to report for additional backdoors. Stages two and three are stashed inside a GIF image file downloaded from the command server. Neither Kaspersky nor CrySyS is saying publicly what the malware does once it takes hold of a victim until they have had a chance to privately warn infected organizations.

"What we know is that some threat actor systematically attacked governmental organizations, and here we are not speaking about libraries, but highest-ranked organizations with malware in many NATO states," Boldizsar Bencsath, a researcher with CrySyS, wrote in an e-mail to Ars. "As well, they attacked human rights organizations, which is also a clear attack on democracy. In this situation the appropriate response should be organized and agile."

Kaspersky's report on MiniDuke is here. The CrySyS analysis is here, and the lab has published a separate document that shows experienced researchers how to detect the malware on infected machines.

MiniDuke's minimalistic approach, multiple levels of encryption, selection of victims, and use of compromised servers as command channels reminds Kaspersky researchers of both the Duqu and the more recently discovered Red October espionage platforms. But the exploit code's literary and biblical references and allusions to hellish stories and situations are highly unusual for espionage malware of this caliber and success.

Although the Stuxnet virus contained what some researchers believe may be references to the Jewish Purim queen and the date an Iranian Jewish businessman was executed by firing squad in Tehran, the imagery in the MiniDuke exploit is altogether different. The Adobe exploit, which was first discovered by security firm FireEye, was also used in an attack Kaspersky researchers believe is unrelated to MiniDuke.

"There's images of hell and there's some numeric stuff littered in the zero-day that we would see back in the days of old-school virus writers that you don't see anymore," Baumgartner said. Because the initial attack that installs MiniDuke may have been spawned from an exploit tool, it's not entirely clear who is responsible for the biblical and literary references.

Then there's the multilayered technical agility of the malware, including its ability to dynamically scan all functions from memory instead of importing them.

"The uses of encryption here along with taking these old assembler techniques and pushing them into a malware package that incorporates a highly resilient infrastructure implementing communications with high-availability services like Twitter and Google is just weird," Baumgartner said. "We're calling a backdoor DLL with no imports weird, which it is. It takes an old-school virus writer to come up with something like that."

More PDF exploits. The world needs DONRDOF. That is, Display Only No Really DISPLAY ONLY format. It would be a format that explicitly excludes any form of scripting, forms, interactivity or anything besides displaying a two-dimensional, read-only page. Maybe just an easy-to-use viewer for some limited subset TeX files.

Is yours the sort of organization that thinks interactive PDFs are a good idea? GO AWAY! You're part of the problem! We don't don't want you here!

Is your organization submitting a proposal to include javascript parsing in version 1.1 of DONRDOF? We have DONRDOF-YI for you! Display Only No Really DISPLAY ONLY format - You Idiot.

More PDF exploits. The world needs DONRDOF. That is, Display Only No Really DISPLAY ONLY format. It would be a format that explicitly excludes any form of scripting, forms, interactivity or anything besides displaying a two-dimensional, read-only page. Maybe just an easy-to-use viewer for TeX files.

More PDF exploits. The world needs DONRDOF. That is, Display Only No Really DISPLAY ONLY format. It would be a format that explicitly excludes any form of scripting, forms, interactivity or anything besides displaying a two-dimensional, read-only page. Maybe just an easy-to-use viewer for TeX files.

More PDF exploits. The world needs DONRDOF. That is, Display Only No Really DISPLAY ONLY format. It would be a format that explicitly excludes any form of scripting, forms, interactivity or anything besides displaying a two-dimensional, read-only page. Maybe just an easy-to-use viewer for TeX files.

TeX is Turing-complete, as is Postscript.

Markdown?

Markdown (at least as implemented by Gruber) was designed to handle arbitrary HTML by leaving it as is (though a stripped-down interpreter would also work). The problem is that HTML—at least as used in browsers—is not a document format, and it seems like extending Markdown to include formatting options would be a waste of time.

I like the idea, though. Is there any reason a really-stripped-down version of PDF couldn't become a new standard for this? If it's a subset of already-existent PDF, then it's instantly compatible with everything everyone already has, which is a big part of adoption right there.

It amazes me the shoddy state of security right now. I can't believe gov/national orgs are not using better and obvious methods of security. Is it a matter of money or just lack of experience that is at work here?

It amazes me the shoddy state of security right now. I can't believe gov/national orgs are not using better and obvious methods of security. Is it a matter of money or just lack of experience that is at work here?

It's entirely possible that the effected organizations were up on their security. It's a new security flaw, and from the sound of things an ingeniously-written virus.

How many break-ins and compromises can Adobe products be responsible for before there is some kind of impact on Adobe? The same of course can be asked about Oracle and Java. Maybe I'm just not paying enough attention but it seems like new holes and stories of major exploits due to just those two companies are now a daily occurrence.

So you want to send a communication that essenitally amounts to some text and maybe images. The way this is done in tens of thousands of offices is with a *printer language* file or a word processor file, each needing a special interpreter. Why?

Then having established this practice, you then use monstrously bloated, proprietary interpeters, where the vendors, for profit-oriented reasons pack in more and more "features". Who ever asked for Javascript, Flash, and other code execution in document formats?

Then when all this proves insecure, do these organizations question the practices? No of course not, instead they pile on sandboxes, filters, proprietary "security" wares even more complex than the above, and try to "educate" the workers with vague warnings that become tiresome cliches.

There will never be real IT security until the organizational culture changes to eschew 90% of this rubbish.

It amazes me the shoddy state of security right now. I can't believe gov/national orgs are not using better and obvious methods of security. Is it a matter of money or just lack of experience that is at work here?

It's entirely possible that the effected organizations were up on their security. It's a new security flaw, and from the sound of things an ingeniously-written virus.

I get that, but I don't mean keeping your virus definitions up to date. I'm speaking more to simple security practices that make a virus like this a moot point. I can understand a virus like this causing havoc on residential systems, but on gov/nat machines, it is really inexcusable and preventable.

More PDF exploits. The world needs DONRDOF. That is, Display Only No Really DISPLAY ONLY format. It would be a format that explicitly excludes any form of scripting, forms, interactivity or anything besides displaying a two-dimensional, read-only page. Maybe just an easy-to-use viewer for some limited subset TeX files.

Is yours the sort of organization that thinks interactive PDFs are a good idea? GO AWAY! You're part of the problem! We don't don't want you here!

Is your organization submitting a proposal to include javascript parsing in version 1.1 of DONRDOF? We have DONRDOF-YI for you! Display Only No Really DISPLAY ONLY format - You Idiot.

EDIT; A subset of TeX, full TeX is exactly what I don't want.

PDF is used for a lot of purposes besides read-only documents. On-line or off-line forms for instance, they are widely used to fill out forms for different purposes: taxes, insurance companies, etc. If you stop using Adobe's PDF, something else will have to fill the void; and will be subject to the same level of abuse.

I'm not saying that it's not Adobe's fault, because obviously they have added too many features that can be exploited without having the required protections in place.

That being said, I look forward something more secure that doesn't force my to keep patching the computers at work every odd day. This month I've patched Java, Flash or Reader in every computer at work more times that I can remember.

More PDF exploits. The world needs DONRDOF. That is, Display Only No Really DISPLAY ONLY format. It would be a format that explicitly excludes any form of scripting, forms, interactivity or anything besides displaying a two-dimensional, read-only page. Maybe just an easy-to-use viewer for some limited subset TeX files.

Is yours the sort of organization that thinks interactive PDFs are a good idea? GO AWAY! You're part of the problem! We don't don't want you here!

Is your organization submitting a proposal to include javascript parsing in version 1.1 of DONRDOF? We have DONRDOF-YI for you! Display Only No Really DISPLAY ONLY format - You Idiot.

The problem is that Adobe's PDF Reader has a full-on Javascript interpreter built in and enabled by default . As far as I know, Mac OS X's native PDF reader won't run any scripting language within a PDF.

I actually don't understand why PDF's have to be Turing complete- the primary goal of PDF is to replace paper and paper forms-- not be a platform unto itself (like Flash).

Sounds like someone has an appreciation for the ART of sophisticated malware. I could be friendly rivals on opposite sides of the war with this person.

I will consider them my Best Friends if they can hack the MAFIAA and release their dirty laundry to the Public Eye.Love to really see their shady accounting practices, corrupting government officials, emails, and any other kinds of evidence.

And what do you want to use instead? Word documents? What's the secure alternative to PDFs?

There is a format called TXT that is somewhat secure.

Basically it's a continuum. As you add features and power, you add attack surface area.

TXT is so simple to read and display, it's pretty easy to be sure it is secure. Probably the most complex thing is proper conversion of bytes into characters, otherwise known as a character encoding. Can your text viewer handle only ASCII - yuk. What about UTF-8? UTF-16? Etc, etc.

Then there is RTF.

Or plain simple HTML with no javascript. But it's a lot more complex and could have vulnerabilities. Even in something like the image decoding.

As mentioned by jarvis (and in the analysis), 666 is 29A in hex. 29A is a supposed defunct virus group that worked 1995-2008. This could be someone back in action or just some props to the old group since this code was an older style.

As mentioned by jarvis (and in the analysis), 666 is 29A in hex. 29A is a supposed defunct virus group that worked 1995-2008. This could be someone back in action or just some props to the old group since this code was an older style.

Its also code for an airport in Sarah Palin's hometown of Wasilla, Alaska.

The Mark is about one thing and one thing only... Turning you into god via transhumanism and biotech and there-in damning your soul to hell... Because by doing that, you permanently bind your soul to your flesh and are no longer eligible for redemption because at that point you are no longer genetically human... You pridefully wanna override God's design of yourself, then you pridefully choose hell and that's the truth! So enjoy your Kristen Stewart's saying "Change me Edward! You're not gonna want me when I look like a grandmother!" and your Patrick Stewart saying "Mutation... It is the key to our evolution..." during the XMEN voice-over's cause I know what's coming down the pike!

Is this a first anti-Singularity religion beginning?

Lets raise first points first. Which God? Is it a body of celestial beings, a single deity with multiple persons, a renegade deity in a wor, a single self-supporting deity, a force of nature or a mis-named intelligent force? Are there any other possible categories? (I'm sure there are...)

" Kuang Grade Mark Eleven was growing. `Dixie, you think this thing'll work?' `Does a bear shit in the woods?' The Flatline punched themup through shifting rainbow strata. Something dark was forming at the core of the Chineseprogram. The density of information overwhelmed the fabricof the matrix, triggering hypnagogic images. Faint kaleidoscop-ic angles centered in to a silver-black focal point. Case watchedchildhood symbols of evil and bad luck tumble out along trans-lucent planes: swastikas, skulls and crossbones, dice flashingsnake eyes." --Neuromancer

I can't read Ars Security & Hacktivism articles without experiencing a sudden, uncontrollable urge to re-read Neuromancer. This can be a problem because sometimes new articles show up more frequently than I can complete a read-through.

I'm talking about the one who went around telling the intellectual elitists of his day that "Ye are of your father the devil, and the lusts of your father ye will do. He was a murderer from the beginning, and abode not in the truth, because there is no truth in him. When he speaketh a lie, he speaketh of his own: for he is a liar, and the father of it. Ye serpents, ye generation of vipers, how can ye escape the damnation of hell?"

I'm talking about the one true God who said "There is a way which seemeth right unto a man, but the end thereof are the ways of death." My God is not a humanist... Though, he loved his human creation so much he sent a part of himself to die for them, he did not expect anything in return, hoping they would love him back in faith by way of freewill... Because love gives a choice... Anything else is slavery...

My God Is Jesus Christ... AND HE IS THE SINGULARITY!

"In the beginning God created the heaven and the earth.""In the beginning was the Word, and the Word was with God, and the Word was God.""And the Word was made flesh, and dwelt among us, (and we beheld his glory, the glory as of the only begotten of the Father,) full of grace and truth.""Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me."

Glad I Was Able To Clear That Up For Ya...

gimfred wrote:

bigcraig01 wrote:

The Mark is about one thing and one thing only... Turning you into god via transhumanism and biotech and there-in damning your soul to hell... Because by doing that, you permanently bind your soul to your flesh and are no longer eligible for redemption because at that point you are no longer genetically human... You pridefully wanna override God's design of yourself, then you pridefully choose hell and that's the truth! So enjoy your Kristen Stewart's saying "Change me Edward! You're not gonna want me when I look like a grandmother!" and your Patrick Stewart saying "Mutation... It is the key to our evolution..." during the XMEN voice-over's cause I know what's coming down the pike!

Is this a first anti-Singularity religion beginning?

Lets raise first points first. Which God? Is it a body of celestial beings, a single deity with multiple persons, a renegade deity in a wor, a single self-supporting deity, a force of nature or a mis-named intelligent force? Are there any other possible categories? (I'm sure there are...)